[Package Issue]: JAMSoftware.TreeSize 8.5.2

[Andrej730]

Please confirm these before moving forward

• I have searched for my issue and not found a work-in-progress/duplicate/resolved issue.
• I have not been informed if the issue is resolved in a preview version of the winget client.

Category of the issue

Installer hash mismatch.

Brief description of your issue

Trying to install Treesize 8.5.2 result in hash mismatch. Not sure if it's related to #89700 but i'll try to summon @mdanish-kh 😅

> winget install JAMSoftware.TreeSize --verbose
Found TreeSize [JAMSoftware.TreeSize] Version 8.5.2
This application is licensed to you by its owner.
Microsoft is not responsible for, nor does it grant any licenses to, third-party packages.
Downloading https://downloads.jam-software.de/treesize/TreeSize-x64-Demo.exe
  ██████████████████████████████  28.2 MB / 28.2 MB
Installer hash does not match.

Actual hash:

>certutil -hashfile TreeSize-x64-Demo.exe SHA256
SHA256 hash of TreeSize-x64-Demo.exe:
c1efd497f78a712f46e3be0951eb933a6308bcb13e6181828b714b6905c26861
CertUtil: -hashfile command completed successfully.

Expected hash from https://github.com/microsoft/winget-pkgs/blob/master/manifests/j/JAMSoftware/TreeSize/8.5.2/JAMSoftware.TreeSize.installer.yaml:
CBDC45F8F7A3C3BE692FAB3772F7690B17E647D33D28A615E4DF065FD9A1D98A

Steps to reproduce

winget install JAMSoftware.TreeSize --verbose

Actual behavior

Installer hash does not match.

Expected behavior

Complete installation

Environment

Windows Package Manager v1.4.10173
Copyright (c) Microsoft Corporation. All rights reserved.

Windows: Windows.Desktop v10.0.22621.1105
System Architecture: X64
Package: Microsoft.DesktopAppInstaller v1.19.10173.0

Logs: %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\DiagOutputDir

User Settings: %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\settings.json

Links
---------------------------------------------------------------------------
Privacy Statement   https://aka.ms/winget-privacy
License Agreement   https://aka.ms/winget-license
Third Party Notices https://aka.ms/winget-3rdPartyNotice
Homepage            https://aka.ms/winget
Windows Store Terms https://www.microsoft.com/en-us/storedocs/terms-of-sale

Screenshots and Logs

No response

[mdanish-kh]

Trying to install Treesize 8.5.2 result in hash mismatch. Not sure if it's related to #89700

The publisher uses a "vanity" URL (URL that always points to a latest version) because of which the manifest needs to be updated with the new hash and version for every new release. I've opened a PR to update the manifest for the new release.

[Andrej730]

The publisher uses a "vanity" URL (URL that always points to a latest version) because of which the manifest needs to be updated with the new hash and version for every new release. I've opened a PR to update the manifest for the new release.

How it usually works? New version comes out, hash updates, some user notices and creates issue/submits PR?

[mdanish-kh]

@Andrej730 This process is automated by wingetbot which generally updates the manifests that use these vanity Urls. It scans the repo daily for hash mismatches and tries to update the manifest with the correct hash and version. You can read #69497 (comment) for more detail on how it works.

For updating the version, wingetbot downloads the installer and fetches the FileVersion field from the installer file. The issue is that not all publishers, including the publisher of this package, set this value identical to what they write to the Registry / Control Panel. As a result, wingetbot generates a PR with an incorrect version field that does not get accepted into the repo and someone else has to manually create a new PR for it. If you're interested, you can view the discussion in this PR #85234 and the issues #35373, #34421 to understand what has been considered so far as a solution.

How it usually works? New version comes out, hash updates, some user notices and creates issue/submits PR?

So, at the moment:
wingetbot detects hash mismatch and generates an automatic PR --> a moderator manually reviews --> if the metadata is correct, the PR gets merged to the repo else a new PR needs to be created.

The odd thing here is that wingetbot didn't create a PR (as it has done so previously for this package) detecting the hash mismatch and updating the manifest. The automatic PR, albeit with an incorrect version, can inform a mod / contributor that the a new version has come out for the package which requires a manual PR. It didn't in this case so the only way for us to know would be through users of the package in issues like these.

[Andrej730]

Thank you for detailed explanation

[mdanish-kh]

Mentioning @denelon as this might be a bug in wingetbot.

For context: This version was released on 5th January 2023, so this should've been caught by now.